Brace for change: An interview with Tony Hayes of ISACA

"If [IT] were in the construction business, it is almost like one in five buildings fall over each year and just crush people on the street."

For Hayes, this figure of speech is apt to describe the magnitude and impact of failed IT projects.

"That is inexcusable, but it still happens in 2013," says Hayes, who recently visited New Zealand in his role as the international president of ISACA, the association of risk management professionals.

IT has enabled the business in many aspects of the way we are today, he says. But there is still that fair share of incidents annually that are causing businesses and not-for-profit organisations a significant amount of money.

At the ISACA forum in Auckland and in a separate interview with CIO New Zealand, Hayes shares a variety of slides underscoring this gap.

Gartner, he says, has reported more than US$600 billion that's thrown away annually on ill-conceived or executed projects. The Standish Group reports 19 percent of IT projects fail outright, 46 percent are challenged, and only 35 percent are successful.

He cites the Harvard Business Review 2011 article stating that one in six project-cost overruns are 200 percent.

The Standards Australia, meanwhile, highlights that 15 to 28 percent of IT projects are abandoned before completion, and 30 to 40 percent of projects have some form of escalation costs.

"They are disturbing numbers, whether they are taxpayer dollars, shareholder, or personal dollars."

Related: KPMG Project Management Survey in NZ: Project activity on the rise compared to three years ago, but so are failure rates.

As a result of the global financial crisis, rise of bring-your-own-device (BYOD), cybersecurity incidents, and tightening of fiscal belts, there is a heightened focus on ensuring that the appropriate risk management and business case development are present, he says.

Related: IT projects are failing at an alarming rate

"There is more scrutiny of that now than we have ever seen," he says. "IT risk professionals are in high demand, because they are involved very much in the front end and during the life of the project."

He would like, however, to see a greater uptake of students attending university who will have the technology and business IT background necessary for this type of work.

Related: Most ANZ organisations unprepared for 'Big Data': Lack of analytics capabilities a prime concern to 28 percent of IT professionals, reports ISACA.

A message he wants out in the industry and to students is: "The IT industry has such a diverse range of opportunities. You are not locked into a keyboard; you are not locked into screens; you are not locked into just playing with data.

"There is a whole stack of opportunities as part of the user interface, as part of the systems design project management, change management, and indeed leading to all the dimensions of implementation and bringing about reforming the organisation."

Having that understanding of business and IT and having that mixture of skills is what is needed going forward, he says.

Related: ISACA study: Cancelled IT projects on the rise in Asia Pacific

What would be a great foundation for this?

A degree in business or commerce is a good starting point, he says, complemented with some specialisation in higher order IT. This can be followed by a postgraduate study or master level work in courses around business reform, change management, project management, project delivery, and data management. All of these aspects will come together to complement the undergraduate degree.

"As a consequence, that combination of skills and experience will bring about a person, who by the age of 30 or 35, will be well-equipped to be part of teams that are in high demand across the world."

Related:The view from the trenches: ISACA ForumFour New Zealand CIOs talk about key issues their teams are facing, and the new areas ICT is working on.

Next: 'Cybersecurity has now become everyone's business'

Page Break

Hayes notes that with some of the events around security breaches, cybersecurity is now becoming "more and more an IT of discussion on everyone's lips".

"It used to be just discussed at whole of country and federal government level,' he says. "Cybersecurity now becomes everyone's business, depending on who you are in the organisation."

He has observed a significant growth in the members of ISACA who identify themselves working in the area or security or IT risk management.

In the last four years, for instance, the growth in the number of people in the IT risk management space has gone from 8.3 percent per annum to 14.7 percent per annum. "We are seeing the increase in attendance at IT risk management courses and certifications doubled in the last two years."

Based on his discussions with ISACA and C-suite executives in Australia, he says the latter forecast an increase in demand for information security professionals of 28 percent in the next 12 months; and a 20 to 21 percent increase in IT risk management professionals.

Hayes says an issue that is becoming topical at conferences around the world is BYOD.

Related:ISACA survey: Benefits of 'Internet of things' outweigh risks to ANZ organisations

"A younger generation coming through are bringing their own device to the workplace and they appreciate they can do all things in their hand-held device, whatever they might be, and they are expecting they should be able to use their device at work, as well."

He adds that one of the biggest issues facing organisations today is how to manage that, how to provide that access. But, at the same time, not put the organisation at "extraordinary risk" if the user loses the device or it is stolen, or "stumbles across things they should not have access to" due to security gaps.

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.